AuthorizationHeaderFilter is using id_token instead of access_token

stefan-sparse-array · March 6, 2023, 11:11am

I’m currently trying to create a new application using the full-stack-project-template and integrate UAA OAUTH2 as an authentication method.

By default the AuthorizationHeaderFilter is using the id_token to authorizate with the backend but this token is not fulfilling as it does not contain any authorities / roles.
To my understanding to authorizate the access_token should be used instead.

How are other applications able to extract the users roles using the id_token?
Is there something else i have to do to be able to authenticate using this token?

tuan-stable-gale · March 7, 2023, 8:49am

hi @stefan-sparse-array
I would agree with you in this case access_token should be used in case you want to access any resource server. We (UAA) should support the case of using access_token and both id_token for the sending to resource server.

In case you want to have a workaround for you to continue the work.

You can configure your ID to have mapping to id_token.
You can write an AuthorizationHeaderFilter which can extract access_token as the input for Authorization header.

The concrete A12 bug ticket is created A12UAA-1667